The following errata report has been verified for RFC6781, "DNSSEC Operational Practices, Version 2".
-------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid6692 -------------------------------------- Status: Verified Type: Technical Reported by: Jarle Fredrik Greipsland <[email protected]> Date Reported: 2021-09-22 Verified by: Warren Kumari (Ops AD) (IESG) Section: Appendix D Original Text ------------- ------------------------------------------------------------ new DS | pre-publish | ------------------------------------------------------------ Parent: NS_A NS_A DS_A DS_B DS_A DS_B ------------------------------------------------------------ Child at A: Child at A: Child at B: SOA_A0 SOA_A1 SOA_B0 RRSIG_Z_A(SOA) RRSIG_Z_A(SOA) RRSIG_Z_B(SOA) NS_A NS_A NS_B RRSIG_Z_A(NS) NS_B RRSIG_Z_B(NS) RRSIG_Z_A(NS) DNSKEY_Z_A DNSKEY_Z_A DNSKEY_Z_A DNSKEY_Z_B DNSKEY_Z_B DNSKEY_K_A DNSKEY_K_A DNSKEY_K_B RRSIG_K_A(DNSKEY) RRSIG_K_A(DNSKEY) RRSIG_K_A(DNSKEY) RRSIG_K_B(DNSKEY) RRSIG_K_B(DNSKEY) ------------------------------------------------------------ Corrected Text -------------- ------------------------------------------------------------ new DS | pre-publish | ------------------------------------------------------------ Parent: NS_A NS_A DS_A DS_B DS_A DS_B ------------------------------------------------------------ Child at A: Child at A: Child at B: SOA_A0 SOA_A1 SOA_B0 RRSIG_Z_A(SOA) RRSIG_Z_A(SOA) RRSIG_Z_B(SOA) NS_A NS_A NS_B RRSIG_Z_A(NS) NS_B RRSIG_Z_B(NS) RRSIG_Z_A(NS) DNSKEY_Z_A DNSKEY_Z_A DNSKEY_Z_A DNSKEY_Z_B DNSKEY_Z_B DNSKEY_K_A DNSKEY_K_A DNSKEY_K_B RRSIG_K_A(DNSKEY) RRSIG_K_A(DNSKEY) RRSIG_K_B(DNSKEY) ------------------------------------------------------------ Notes ----- Figure 15 in Appendix D is depicting the phases of a double DS KSK rollover operator change. One rationale for applying this approach is to avoid the exchange of signatures (RRSIGs) between operators, and limit exchanges to the public parts of the ZSKs in use. In the pre-publish phase in the figure, it is shown that Child A publishes a signature over the DNSKEY RRset generated by Child B's KSK, and that Child B publishes a signature over the DNSKEY RRset generated by Child A's KSK. This is contrary to the rationale given for this method, and also not required, since the pre-published double DS RRs at the parent zone should enable a validator to validate the signature generated by any of the two KSKs in use, thus one RRSIG RR for the DNSKEY RRset is sufficient at each child. Therefore, the RRSIG_K_B(DNSKEY) RR should be removed from Child A, and the RRSIG_K_A(DNSKEY) should be removed from Child B. [Warren Kumari, Ops AD]: Marking as Verified, please see the thread at https://mailarchive.ietf.org/arch/msg/dnsop/voplw-sLcS-6u458reknBGQR2T0/ for additional information / justification. -------------------------------------- RFC6781 (draft-ietf-dnsop-rfc4641bis-13) -------------------------------------- Title : DNSSEC Operational Practices, Version 2 Publication Date : December 2012 Author(s) : O. Kolkman, W. Mekking, R. Gieben Category : INFORMATIONAL Source : Domain Name System Operations Stream : IETF Verifying Party : IESG _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
